----- Original Message -----
From: "Henrik Nordstrom" <hno@hem.passagen.se>
To: "Adrian Chadd" <adrian@creative.net.au>
Cc: <squid-dev@squid-cache.org>
Sent: Monday, October 30, 2000 4:42 AM
Subject: Re: Anyone here read vuln-dev?
> No I don't read vuln-dev. However, Squid has not been audited at all for
> cross-site scripting vulnerabilities or other places where plain text
> are sent as HTML. There is not a single place there text is HTML
> encoded.
>
> There are issues like this in
>
> a) Error page generation
>
> b) FTP listings and messages
>
> c) Probably also in gopher and wais
>
> The error page generation is the most critical as this is exploitable at
> the client to do cross-site scripting. The other mostly fails..
>
> I certainly does not object to fixing this, however please keep in mind
> that simply encoding < > & is not enought as there are buggy clients
> around reading their 8-bit variants as 7-bit characters... so to be on
> the safe site the following encoding should be used:
>
it's #&NNN; for the format -
> & -> &
done
> < -> <
done
> > -> >
done
> <32 >=127 -> &NN; where NN is the hexadecimal value of the character
> (unsigned char).
0-1F done. 127 & above done in the attached update html. c (and yes rfc1738
was a very handy inspiration :-]
<WHINE MODE>Personally I think it would have been appropriate for the
"ideas" person to have let squid-dev know before dropping it on the world
via vuln-dev....
</WHINE MODE>
Rob
>
> /Henrik
>
>
> Adrian Chadd wrote:
> >
> > On Sun, Oct 29, 2000, Robert Collins wrote:
> > > There's a new issue with squid been reported on vuln-dev:
> > >
> > > a url like
> > > http://123.microsoft.com/<script>alert(this.document.cookie)</script>
> > > does not have it's html entities quoted (ie & > &) before display
on an
> > > errorpage. This allows cross site scripting attacks against all
clients
> > > behind squid proxies.
> > >
> > > I suggest we add a html library file similar to the rfc1738 one to
take a
> > > string and return a "safe to show on a web page" by escaping all the
known
> > > entities.
> > >
> > > Probably there is a "standard way of doing this" - perhaps the xml
library
> > > or some other library can just be linked in....
> >
> > Interesting. Ok, I'll commit what you've sent as a patch unless anyone
> > objects in the next couple days.
> >
> > --
> > Adrian Chadd "God: Damn! I left pot everywhere!
> > <adrian@creative.net.au> Now I'll have to create Republicans!"
> > - Bill Hicks
>
>
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:53 MST